kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-22 07:52:25 +02:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/docs/guides/administrator/Security_Guidelines.md

2.8 KiB
Raw Blame History

Security Guidelines

CyMaIS is designed with security in mind. However, while following our guidelines can greatly improve your systems security, no IT system can be 100% secure. Please report any vulnerabilities as soon as possible.

Additional to the user securitry guidelines administrators have additional responsibilities to secure the entire system:

  • Deploy on an Encrypted Server
    It is recommended to install CyMaIS on an encrypted server to prevent hosting providers from accessing end-user data. For a practical guide on setting up an encrypted server, refer to the Hetzner Arch LUKS repository 🔐. (Learn more about disk encryption on Wikipedia.)

  • Centralized User Management & SSO
    For robust authentication and central user management, set up CyMaIS using Keycloak and LDAP. This configuration enables centralized Single Sign-On (SSO) (SSO), simplifying user management and boosting security.

  • Enforce 2FA and Use a Password Manager
    Administrators should also enforce 2FA and use a password manager with auto-generated passwords. We again recommend KeePass. The KeePass database can be stored securely in your Nextcloud instance and synchronized between devices.

  • Avoid Root Logins & Plaintext Passwords
    CyMaIS forbids logging in via the root user or using simple passwords. Instead, an SSH key must be generated and transferred during system initialization. When executing commands as root, always use sudo (or, if necessary, sudo su—but only if you understand the risks). (More information on SSH and sudo is available on Wikipedia.)

  • Manage Inventories Securely
    Your inventories for running CyMaIS should be managed in a separate repository and secured with tools such as Ansible Vault 🔒. Sensitive credentials must never be stored in plaintext; use a password file to secure these details.

  • Reporting Vulnerabilities
    If you discover a security vulnerability in CyMaIS, please report it immediately. We encourage proactive vulnerability reporting so that issues can be addressed as quickly as possible. Contact our security team at security@cymais.cloud DO NOT OPEN AN ISSUE.

By following these guidelines, both end users and administrators can achieve a high degree of security. Stay vigilant, keep your systems updated, and report any suspicious activity. Remember: while we strive for maximum security, no system is completely infallible.